Install CLI

Now that you are logged in, you are ready to import your project.

From the Add Projects page, you can either Integrate Locally (using the CLI) or to use Quick Import.

🚧

TIP

We recommend starting by Quick Importing your entire GitHub organization to get rapid coverage over your projects. You can then selectively integrate the CLI on projects where Quick Import's static analysis results are inaccurate or noisy.

👍

Recommended for Technical Users

This method requires use of a Command Line Interface and knowledge of your codebase. If you're not a developer yourself, we recommend getting a developer to help you—or you can try our Quick Import method.

The most accurate way to integrate FOSSA is to analyze code locally with FOSSA CLI, our open source build client fossa-cli.

This method requires a working build, but is the most performant, accurate, and secure method of integration.

Pick this method if:

  • You don’t want to give FOSSA servers access to your code (due to IT, policy or logistical reasons)
  • You need accurate and performant build results
  • You already have a configured build environment in a CI or local dev machine
  • You've already tried Quick Import for this project, but need to use more advanced configuration or build analysis to get results at the desired level of accuracy

Click Integrate Locally (CLI) to start importing your project.

751

Click View Guide to access the installation instructions.

609

Install the client with this one-line terminal command (Windows, Mac, Linux).

curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.ps1'))"

You can also download directly from our Releases page.
Refer to our documentation on GitHub or vSupported Languages for in-depth configuration advice.

📘

NOTE

All imported projects are run against the Standard Bundle Distribution licensing policy, by default.

After configuration, you should be able to just run fossa and get a link to a report in the output:

==========================================================

   View FOSSA Report: https://app.fossa.com/{YOUR_LINK}

==========================================================

This import method takes advantage of existing build environments to integrate with your build tool and perform build and dynamic analysis. Therefore, it can provide better accuracy for complex codebases where Quick Import and its static analysis results are inaccurate or noisy.

What’s Getting Uploaded?

Using FOSSA’s CLI is secure: it does not grant FOSSA any code access and will only send back public dependency signatures to app.fossa.com. In fact, you can directly preview what is getting uploaded by running fossa -o and even inspect our code openly on GitHub to understand the exact behavior.

For example, the results for your project may be:

[
  {
    "Name": "fossa-cli",
    "Type": "golang",
    "Manifest": "github.com/fossas/fossa-cli/cmd/fossa",
    "Build": {
      "Dependencies": [
        {
          "locator": "go+github.com/rhysd/go-github-selfupdate$d5c53b8d0552a7bf6b36457cd458d27c80e0210b",
          "data": {
            "name": "github.com/rhysd/go-github-selfupdate",
            "version": "d5c53b8d0552a7bf6b36457cd458d27c80e0210b"
          }
        },
        ...
      ],
      ...
    }
  },
  ...
]